These links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval me. I’m not responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site for answers to questions regarding its content.
Microsoft Entra Management and Security Tools
🧰 PowerShell Modules and other Management Tools
Name | Description from Project/Repo page | Repository | Project page/Blog |
---|---|---|---|
AzureAD | Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. ⚠️This module is planned for deprecation. For more details on the deprecation plans, see the deprecation update | PowerShell Gallery: AzureAD | AzureAD Module |
Azure AD application secret rotator for Azure web sites | Azure AD App Secret Manager automates the rotation of your Azure web sites secrets integrated with user approval and notification in Microsoft Teams | Azure/AzureAD-AppSecretManager | Â |
AzureADExporter | The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files. This module can be run as a nightly scheduled task or a DevOps component (Azure DevOps, GitHub, Jenkins) and the exported files can be version controlled in Git or SharePoint. | microsoft/azureadexporter | Â |
Azure AD Toolkit | The Azure AD Toolkit is a PowerShell module that providers helper cmdlets to manage the credentials of your application or service principal. | microsoft/AzureADToolkit | Â |
AzADServicePrincipalInsights | Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications) | JulianHayward/AzADServicePrincipalInsights | Â |
AzureADAssessment | The Azure AD Governance Assessment module runs an analysis of guest users and their permissions in a tenant. | AzureAD/AzureADAssessment | AzureADAssessement and PowerBI Reports (icewolf.ch) |
Azure AD Governance Assessment | Tooling for assessing an Azure AD tenant state and configuration | AzureAD-Governance-Assessment | AzureADAssessement and PowerBI Reports (icewolf.ch) |
Azure AD B2C Custom Policy Manager | This is a sample management tool for B2C Custom Policies. Custom policy allows you to customize every aspect of the authentication flow. | azure-ad-b2c/custom-policy-manager |  |
Azure AD B2C Load Tests | This sample intends to show how to create and run a load test of Azure AD B2C user flows and custom policies (including dependencies), and evaluate the results using the Azure Load Testing Service. Use this sample to perform a load test and determine your web application and B2C flows behavior under anticipated peak load conditions, identify bottlenecks and determine which element is causing degradation. | azure-ad-b2c/load-tests | Â |
Azure AD Connect Configuration Documenter | AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration. | microsoft/AADConnectConfigDocumenter | Â |
AzureAuth | CLI wrapper for performing AAD Authentication. It makes use of MSAL for authentication and MSAL Extensions for caching. The CLI is designed for authenticating and returning an access token for public client AAD applications. This acts like a credential provider for Azure Devops and any other public client app. | AzureAD/microsoft-authentication-cli |  |
CA Optics - Azure AD Conditional Access Gap Analyzer | Azure AD Conditional Access Gap Analyzer is a solution for scanning gaps that might exist within complex Azure Active Directory Conditional Access Policy setups. | jsa2/caOptics | Â |
DCToolbox | A PowerShell toolbox for Microsoft 365 security fans. | DanielChronlund/DCToolbox | DCToolbox PowerShell Module for Microsoft 365 Security, Conditional Access Automation, and more |
EasyPIM | EasyPIM is a PowerShell module created to help you manage Microsof Entra Privileged Identity Management (PIM). Packed with more than 30 cmdlets, EasyPIM leverages the ARM and Graph APIs to let you configure PIM Azure Resources, Entra Roles and groups settings and assignments in a simple way . | kayasax/EasyPIM | Â |
Fortigi ConditionalAccess | This solution consists of powershell functions, bundled in a module to help automate and regulate Conditional Access deployment and maintance. | Fortigi/ConditionalAccess | Â |
Maester | Monitor your Microsoft 365 tenant’s security configuration using Maester! Maester is a PowerShell-based test automation framework designed to help you monitor and maintain the security configuration of your Microsoft 365 environment. | maester365/maester | Get started - Maester.dev Videos: Microsoft365DSC YouTube Channel Video: Introducing Maester: Your Microsoft 365 test automation framework by Merill Fernando |
IdentityProtectionTools | The Identity Protection Tools PowerShell module contains sample functions for enumerating Risky Users by RiskLevel and date when their risk was last updated, Dismissing Risk for selected users for bulk operations, confirming Compromise for selected users for bulk operations. | AzureAD/IdentityProtectionTools | Â |
Microsoft365DSC | This module allows organizations to automate the deployment, configuration, reporting and monitoring of Microsoft 365 Tenants via PowerShell Desired State Configuration. The compiled configuration needs to be executed from an agent’s Local Configuration Manager (LCM) (machine or container) which can communicate back remotely to Microsoft 365 via remote API calls (therefore requires internet connectivity). | microsoft/Microsoft365DSC | Introduction - M365DSC.com Videos: Microsoft365DSC YouTube Channel |
Microsoft Graph SDK | The Microsoft Graph PowerShell SDK is a collection of PowerShell modules that contain commands for calling Microsoft Graph service. | microsoftgraph/msgraph-sdk-powershell | Microsoft Graph PowerShell SDK overview Samples: Graph PowerShell Samples Community |
Microsoft Graph Developer Proxy | Microsoft Graph Developer Proxy is a command line tool for testing Microsoft Graph and other APIs. | microsoftgraph/msgraph-developer-proxy | Introducing the Microsoft Graph Developer Proxy community preview |
Microsoft Cloud Group Analyzer | For Microsoft Cloud admins who struggle to keep track of where Entra ID groups are used, Group Analyzer is an opensource script that provides instant insights in what services/policies/… a given group or user is scoped to. | asperbaes/Microsoft-Cloud-Group-Analyzer |  |
Microsoft Identity Tools PowerShell Module | The Microsoft Identity Tools PowerShell module provides various tools for performing enhanced Identity administration activities. It is intended to address more complex business scenarios that can’t be met solely with the use of MS Graph PowerShell SDK module. | AzureAD/MSIdentityTools |  |
Microsoft Identity DotNet Analyzers | Contains static analyzers to detect bad practices in the usage of .NET authentication libraries | AzureAD/microsoft-identity-dotnet-analyzers | Â |
MSAL.PS | The MSAL.PS PowerShell module wraps MSAL.NET functionality into PowerShell-friendly cmdlets and is not supported by Microsoft. Microsoft support does not extend beyond the underlying MSAL.NET library. | AzureAD/MSAL.PS | Microsoft Graph using MSAL with PowerShell - darrenjrobinson |
PIMScan | Tool for creating reports on Entra ID Role Assignments | canix1/PIMSCAN | Â |
PSMSGraphBatchRequest | The MSGraphBatchRequest PowerShell module provides a convenient way to transform data into Microsoft Graph Batch Requests by converting PowerShell objects to JSON with proper schema validation. | PSMSGraphBatchRequest | Â |
SCuBA M365 Security Baseline Assessment Tool | Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. | cisagov/ScubaGear |  |
Terraform Provider for Azure Active Directory | The Azure Provider can be used to configure infrastructure in Azure Active Directory using the Microsoft Graph API. | hashicorp/azuread - Terraform Registry | Docs overview |
🛡️ Security Research Tools
Name | Description from Project/Repo page | Repository | Project page/Blog |
---|---|---|---|
AADInternals | AADInternals is PowerShell module for administering Azure AD and Office 365 | Gerenios/AADInternals: AADInternals | AAD Internals (aadinternals.com) |
Azure AD Incident Response PowerShell Module | The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response. | AzureAD/Azure-AD-Incident-Response-PowerShell-Module | Â |
Entra ID Security Config Analyzer (EIDSCA) | Logic App solution to ingest configuration data of Azure AD to Log Analytics for monitoring and strengthen identity security posture. | Cloud-Architekt/AzureAD-Attack-Defense | Â |
azbelt | Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines | daddycocoaman/azbelt | Â |
AppTotal | Analyze suspicious OAuth apps, browser extensions and SaaS add-ons to detect harmful apps, risky permissions and other security issues. | AppTotal.io | Â |
AzureHound | The BloodHound data collector for Microsoft Azure | BloodHoundAD/AzureHound | Automating Things 0x01 – AzureHound for blue teams |
AzTokenFinder | Is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others. | HackmichNet/AzTokenFinder | Â |
AzureRT | Helpful utilities dealing with access token based authentication, switching from Az to AzureAD  and az cli interfaces, easy to use pre-made attacks such as Runbook-based command execution and more. | mgeeky/AzureRT: AzureRT |  |
BadZure | BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. | mvelazc0/BadZure | Â |
Bloodhound | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. | BloodHoundAD/BloodHound | BloodHound: Six Degrees of Domain Admin |
BloodHound Attack Research Kit /BARK) | BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services. | BloodHoundAD/BARK: BloodHound |  |
CrowdStrike Reporting Tool for Azure (CRT) | This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments. | CrowdStrike/CRT/CRT | Â |
Forest Druid | Free Tier 0 attack path discovery tool for Active Directory environments by Semperis | Forest Druid | Closing Attack Paths to Tier 0 Assets with Forest Druid |
GraphRunner | Post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. | dafthack/GraphRunner | Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365 |
GraphSpy | Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI | RedByte1337/GraphSpy | GraphSpy – The swiss army knife for attacking M365 & Entra |
MAAD Attack Framework | MAAD-AF is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF provides security practitioners easy to use attack modules to exploit configurations across different M365/AzureAD cloud-based tools & services. | vectra-ai-research/MAAD-AF | Â |
Mandiant Azure AD Investigator | This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. | mandiant/Mandiant-Azure-AD-Investigator |  |
MicroBurst | MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use. | NetSPI/MicroBurst | Various blog posts on: https://www.netspi.com/blog/ |
Monkey365 | Monkey365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. To help with this effort, Monkey365 also provides several ways to identify security gaps in the desired tenant setup and configuration. Monkey365 provides valuable recommendations on how to best configure those settings to get the most out of your Microsoft 365 tenant or Azure subscription. | silverhack/monkey365 | Â |
ROADtools | ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. | dirkjanm/ROADtools | Introducing ROADtools - The Azure AD exploration framework - dirkjanm.io |
PurpleKnight | Semperis built Purple Knight—a free AD and Azure AD security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment. | PurpleKnight Community | Purple Knight Introduces Azure AD Security Indicators |
RedCloud OS | RedCloud OS is a Debian based Cloud Adversary Simulation Operating System for Red Teams to assess the security of leading Cloud Service Providers (CSPs). It includes tools optimized for adversary simulation tasks within AWS, Azure and GCP. | RedTeamOperations/RedCloud-OS | Â |
onedrive_user_enum | Python script to enumerate valid OneDrive users | nyxgeek/onedrive_user_enum | TrustedSec - OneDrive to enum them all |
SimuLand | SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify effectiveness of related Microsoft 365 Defender, Azure Defender and Microsoft Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise. | Azure/SimuLand | SimuLand: Understand adversary tradecraft and improve detection strategies - Microsoft Security Blog |
Stormspotter | Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work. | Azure/Stormspotter |  |
SkyArk | SkyArk currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities. Stealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure. | cyberark/SkyArk | Â |
TeamFiltration | TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. | Flangvik/TeamFiltration | Â |
TokenMan | Token Man is a tool for supporting post-exploitation activities using AAD access and/or refresh tokens. | secureworks/TokenMan | Â |
TokenTactics | Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user’s access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more. For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send teams messages! | rvrsh3ll/TokenTactics |  |
TokenTactics v2 | A fork of TokenTactics with support for CAE and token endpoint v2. Detailed output for Parse-JWTtoken to display related information for longer-lived (CAE-capable) tokens. |
f-bader/TokenTacticsV2 | Continuous access evaluation - CloudBrothers.info |
Vajra | Vajra is a UI based tool with multiple techniques for attacking and enumerating in target’s Azure environment. Vajra presently supports Azure and AWS Cloud environments, with plans to add support for Google Cloud Platform and certain OSINT in the future. | TROUBLE-1/Vajra |  |
🪄 Postman Collections
Collection Name | Link to Collection/Fork | Documentation |
---|---|---|
Azure AD v2.0 Protocols | Collection for Authentication Flows | Microsoft identity platform and OAuth 2.0 |
Microsoft Graph API | Microsoft Graph Collection | Use Postman with the Microsoft Graph API |
Microsoft Threat Protection | Microsoft-Threat-Protection/Postman at master · richlilly2004 |  |
Verified ID | VerifiedID Request API, VerifiedID Admin API | active-directory-verifiable-credentials/Postman |
🧑‍💻 Visual Studio Code Extensions
Extension Name | Description from Project/Repo page | Project repository | Marketplace |
---|---|---|---|
Azure AD B2C | The Azure AD B2C extension for VS Code lets you quickly navigate through Azure AD B2C custom policies. Create elements like technical profiles and claim definitions. For more information, see Get started with custom policies. | azure-ad-b2c/vscode-extension | Azure AD B2C |
MS Graph Completion | This VSCode extension allows you to auto-complete the Microsoft Graph API URLs you are writing. You get the most useful Microsoft Graph Explorer functionality in your favorite editor. | estruyf/vscode-msgraph-autocomplete | MS Graph Completion |